WordPress.Net.IN Taken Offline

Back on June 1st, Michael VanDeMar published a lengthy post explaining the process he goes through in order to clean up an infected website. One exploit that Michael points out is a bad index.php file which if ran as an include(), pulls bad information from the domain WordPress.Net.IN. This domain according to Michael has been in existence for at least three years, first being registered in 2007.

Not only is it being used as an exploit delivery mechanism, but it’s violating the WordPress trademark. According to comments made on the post by Matt Mullenweg, he had attempted to contact the domain registrar to have the domain taken offline.

Okay, well short story is I looked into this when the hack first came up, but haven’t noticed it since and haven’t thought about the domain since then. I’ll contact some friends in the domain business to see what we can do now. (We have a lot more resources than three years ago.)

A few days later, Matt has confirmed that the domain has been taken down due to some help from Justin at GoDaddy. However, there is a difference between taking a domain down and taking ownership of it due to the WordPress trademark. It’s not clear yet whether Matt has put in the effort to try and take ownership of the domain. If not, it’s possible that at some point down the road, the domain will continue to be used but on a different registrar/host which wouldn’t be good for anyone, especially if it were to continue being used as an exploit delivery tool.

I’m interested in how the WordPress trademark is being protected. Is it the sole work of Matt going after violators or is there a team of lawyers acting on Matt’s behalf? I’d also be interested to hear in how a typical trademark violator is dealt with. Everything from discovery to the process of getting it removed or taking over ownership. I think it would be something a lot of folks in the community would be interested to know about.

As for the other point in Michael’s post regarding priorities, meh.

Who is Jeff Chandler

Jeff Chandler is a WordPress guy in the buckeye state. Contributing writer for WPTavern. Have been writing about WordPress since 2007. Host of the WordPress Weekly Podcast.

I am sure Matt can’t afford to go the Google way (Are you aware that Google owns every variation of Google and all the CCTLD and regular TLD?).

If a website is violating your TM

Step one: send an e-mail from your @domain.com address (since now a days unlimited addresses are given, create a new one).
Step two: If things don’t happen then you e-mail the webhost and if it’s different the domain registrar. If the website has google adsense or other advertising networks/affiliates, then CC those networks and the owner
Step three: e-mail owner a third time

This has been on my mind for some time as I own the http://wordpressmodder.org domain. This trademark conversation piqued a year or so ago and it was then I started thinking about making a plan to move the site to a different domain. My intentions for the domain were purely innocent as I wanted to give back to the community in the way that I was helped in learning WP.

Well, life got in the way and the domain still holds the same content, but it doesn’t updated. This post gives me a renewed urgency to move the content to another domain and also to start posting updated tutorials.

It’s not a minor detail. It is ostensibly a priority for WPF that a certain reputation and philosophy be tied to the WordPress name. Thus, protecting the use of that name is critically important. With both reputation and trademark, if you don’t protect them, you will lose control of them.

The creation of the WordPress Foundation to own the trademarks of the WordPress project is a fantastic development, because it will allow those involved to focus their efforts where they are most effective and beneficial.

That said, if Matt is so busy with making WordPress the most awesome product that it is (and make no mistake: he’s done a wonderful job in that regard) to be able to fulfill the necessary duties of trademark ownership, then, in the best interests of the project, he needs to hand off (or delegate) those responsibilities to another.

Please don’t mistake that comment as a knock against Matt. He’s great at what he does, and WordPress is awesome under his leadership. And honestly, I don’t think very many people in this world could wear both of those hats effectively.

But protecting the WordPress trademark simply has to be one of the top priorities of the WPF. If Matt believes that his efforts are not best-spent focusing on that priority, then, for the good of the project, he needs to appoint someone who can focus on that priority, through the WPF.

I think getting the .com.in domain taken down is great news, because a known, malicious, exploitative, trademark-infringing domain being allowed to exist for three years is, quite simply, inexcusable.

@Chip Bennett – But I think it’s worth mentioning that at the time, Matt tried to take care of the domain. However, the attempts failed which is where some people could argue that he should have kept trying. I imagine he started focusing on other things but fast forward to today, it’s probably a little easier to work with domain registrars to get domains taken offline due to trademark infringement. I mean, he contacted someone at GoDaddy and now the domain is suspended/offline.

Since I know Matt is a smart guy and understands the need to protect the trademark and he is human like everyone else, I think Michaels priority points in his article are Meh.

But I think it’s worth mentioning that at the time, Matt tried to take care of the domain. However, the attempts failed which is where some people could argue that he should have kept trying.

This wasn’t just some site infringing on the WordPress trademark. This was a malicious domain whose sole reason for existence was to exploit WordPress installations. There should have been no “giving up” or “moving on to other things”.

Look, the other 230 .com/.net/.org domains infringing on the WordPress trademark are another matter. Many probably didn’t find out the TM usage rules before registering the domain name. Some probably did, but didn’t care. But as far as we know, none of them has been used as an on-going, active exploit mechanism for WordPress installs.

Three years ago, I was successfully having copyright-infringing content removed from websites. Little, old, nobody me – successfully navigating hosts’ TOS and complaint-resolution systems, to protect my own copyrighted work.

If I could successfully defend my copyright and have infringing work taken down, surely WordPress could have successfully defended its trademark and gotten a patently malicious domain taken down – if it had been given the proper priority.

I’m not trying to bust Matt’s chops here, but at the same time, I don’t understand defending three years’ worth of negligence – which is what I get the impression that you’re trying to do.

@Chip Bennett – Have you ever tried to get a malicious site taken down? Even for Global National Bank, whom I work for, we had someone make a site with a name similar to ours (gnb-online.com for example) that phished our partners’ passwords AND ACCOUNT NUMBERS.

It took us months to get that sorted out, even though they were using images etc all cleverly scoped from our site, and clearly malicious. And we have a team of lawyers. I was a young pimply faced youth and not the BOFH I am today when this happened, but I remember clearly sitting in on meetings and being astounded at the level of ‘proof’ some webhosts demand.

This is one of those things that really should be easier, but for reasons I can understand, is a mother fu**ing pain in the a**

I’m not defending this. Matt (and the WordPress Foundation more specifically) dropped the ball on this one. They made a mistake and forgot about this, in the business of everything else. That happens, and Matt admitted it. I am pointing out that most of the time, this sort of defense is as simple as ‘Yo, stop infringing!’ but when it’s not, you want to shoot yourself.

There is nothing wrong with having WordPress is your domain name as long as you redirect it to a “wp___.com” version.

Far to often I see people saying that I have WordPress in there domain and dont know what to do. The simple option is to buy the wp version (without WordPress) and redirect the WordPress version to it.